May 16, 2025 • 35 mins
You can now submit your claims for Apple’s $95 million Siri spying settlement
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So guys, a middle aged man is lying in a
hospital bed. A nurse comes in and says, I'm sorry,
but your wife has signed a DNR order. Oh now,
that's not dot net rocks, that's do not resuscitate. And
he says, but I'm only here for a sprain ankle.
(00:21):
The nurse says, unfortunately, she insisted, Okay, well that's security
this week. I'm Carl Franklin, and that's Dwayne Laflotte, Patrick Hines.
I am the one who's out of town. I'm in
(00:43):
Dallas right now. But the show must go on. So
we have our eight stories, and starting with leaving computer
Cisco fixes max severity, IOSXE flaw letting, attackers hijack devices.
That is some serious acronym soup right there.
Speaker 2 (01:04):
Somebody helped me, right, I know. Yeah. So for those
of you who don't don't know what Cisco is, it's odd.
So Cisco the backbone of the Internet, right routers, which
is all sorts of really high end networking devices for
and used on most of the fabric of the Internet. Honestly,
the catalyst ninety six hundreds, ninety five hundred eight hundreds.
(01:28):
You know, we're talking about these as wireless controllers. But
there's a lot of really like a lot of data
goes through Cisco every every day. What I always found
odd is you see this and it says max severity
vulnerability found in iOS, right, which seems weird. Hey, heads up?
iOS was actually it was actually used by Cisco before
(01:51):
it was used by Apple.
Speaker 3 (01:52):
I'm shocked they didn't sue them. See Apple, isn't that weird?
Speaker 2 (01:56):
I always thought it was weird too because I was
a Cisco firewall administrator and I remember remember you know,
we talked iOS. It was always that Cisco's operating system, right,
no kidding. Then Apple came out and was like, yeah,
it's iOS, and we're like, wait a second.
Speaker 1 (02:08):
Well, the difference is it's an uppercase.
Speaker 2 (02:11):
I exactly apparently sensitive. I wonder if you did try
and trademark something with SQL injection, if that would anyways continue.
Speaker 1 (02:26):
Hard evil evil?
Speaker 3 (02:28):
So is this reminiscent of the log four j only
that it's it's it wasn't that also a Jason web tooken?
Speaker 2 (02:34):
Yes? Yeah, absolutely, yeah, So it's very similar. And we
see this. We see this a lot in any sort
of uh XML serialization Jason serialization attack where you can
put special characters inside of a payload, right a Jason
or an XML and have it unpacked, and then they
(02:57):
try and create objects from it and loan behold. You know,
you run into all sorts of issues. So, according to this,
an attacker who successfully sends a specific a specifically crafted
HTTPS request to the AP image download interface would be
able to execute code as root on the derived device,
(03:19):
allowing full device takeover. It still surprises me that there
are endpoints you can access that are running under privileged accounts.
Yeah right. It makes no sense to me why a
demon or a service or whatever are running under root
or system level privilege.
Speaker 3 (03:38):
Because demons are evil, especially those with that authorization.
Speaker 2 (03:44):
You know. I don't know how you guys pronounce it.
I always pronounce a demon. I've heard a lot of
people call it damon, but I like demon better because
you know Linux, right.
Speaker 1 (03:52):
I used to. I used to run an email server
called m Damon. Yeah, and then all came out with
Goodwill hunting.
Speaker 2 (03:58):
And that was then you just couldn't. You couldn't use
them anymore.
Speaker 1 (04:02):
No, I couldn't.
Speaker 2 (04:03):
Yeah, right, go to Gmail. On that note, if you
are running a Catalyst ninety eight hundred cl cloud wireless controller,
a ninety hundred embedded wireless controller, or a catalyst ninety
three hundred, ninety four hundred, ninety five hundred. Really any catalysts,
go out and make sure you are patched.
Speaker 1 (04:21):
Patch Patch Patch.
Speaker 2 (04:22):
That's okay a theme this week, by the way.
Speaker 1 (04:24):
Yes, I was just gonna say, because speaking of patch,
that show patch show.
Speaker 2 (04:31):
If you've got technology, go patch it.
Speaker 1 (04:33):
Right and we're done, So patch Tuesday.
Speaker 3 (04:36):
When they say image download, do we know if that's
the like firmware image or like a picture image.
Speaker 2 (04:43):
No, no, no, I believe that's a firmware image.
Speaker 3 (04:46):
That's why I say. That's why I thought, yeah, because
that's also it's like, why would you let them download
the firmware in the first place. I understand why that
would be privileged.
Speaker 2 (04:57):
Yeah, I mean so sometimes sometimes it has to do
with backing up the firmware that's on that particular device something.
Speaker 1 (05:05):
Only if you really want to be convenient, you'd have
an endpoint that updates the firmware just by calling it.
Speaker 3 (05:12):
That's right, right, Yeah, I think that's what this is.
Speaker 1 (05:16):
Yeah, how stupid is that?
Speaker 3 (05:20):
I just want to clarify when they say image they're
not talking about selfies.
Speaker 1 (05:23):
Uh no, okay. Microsoft May twenty twenty five Patch Tuesday
fixes five count them five exploited zero days and seventy
two flaws. Good on your Microsoft.
Speaker 3 (05:34):
It's just another Tuesday.
Speaker 1 (05:36):
It's just another Tuesday.
Speaker 2 (05:38):
I love it. We just throw away zero like, ah, yeah,
there were five zero.
Speaker 1 (05:41):
Is five zero days.
Speaker 2 (05:43):
It used to be used to be they were like.
Speaker 3 (05:45):
Well exploited zero days. We remember we talked about this
a little bit that it's getting closer and closer. We're
seeing less and less air daylight between when they're discovered
and when they're exploited. My bed is that these were
covered and then they've they got an exploit out in
the wild before they got a patch ready for it.
Speaker 2 (06:07):
Right, sure, yep, yep, absolutely yeah, and Microsoft would know.
You know, It's funny. A lot of people ask me, like,
what's the best sort of endpoint detection system that can
pick up viruses and that sort of stuff, And I
always it sounds weird, but I'm always I always say Defender,
and people are like, well, that's that's weird. Microsoft Defender.
I mean, Defender's always been you know, Microsoft, It's never
been the top of the charts, and I'm like, who
(06:28):
else on Windows should know what's running on Windows?
Speaker 1 (06:32):
Right?
Speaker 2 (06:32):
Probably Microsoft?
Speaker 3 (06:34):
They got religion about that. It's really a great product now.
Speaker 1 (06:38):
And since Windows XP Service Pack one or.
Speaker 2 (06:41):
Two, yep, yep, Windows ninety five. Who anyways, Oh yeah,
that was the wild bless the best, the best of
the best, Windows Bob. All right, So seventy two flaws.
What I love also is a lot of times in
patch Tuesdays now they say, hey, there's seventy two security flaws. Yeah, right,
(07:03):
seventeen prev asks, two bypasses, twenty eight rcees, twenty eighteen
information disclosers, seven denials, and two spoofing vulnerabilities. No, by
the way, there's a couple of other things we fixed.
If you want that, you can go read the subnotes.
Now it's the security Tuesday patch, not just the patches.
Speaker 1 (07:24):
I really hope in this age of layoffs, that Microsoft
doesn't lay off their security people. Oh my god, you know,
can you imagine if Patch Tuesday was like we fixed
five patches, it.
Speaker 2 (07:35):
Was oh no, yeah, that's when you know, Carl, that's
what that'll be. The litmus test is when we only see, yeah,
one thing fixed this week guys. They're like, hey, no, Patches.
Speaker 3 (07:49):
I saw something with Microsoft was saying thirty percent of
their code is now being written by AI. No really
something along those lines.
Speaker 1 (07:57):
So you know, well there are some people you might
catch rises AI.
Speaker 2 (08:01):
Yeah, that's true, right, I think it would be ironic
if the thirty was written by chatch ept.
Speaker 3 (08:06):
But anyway, God of Chatty.
Speaker 1 (08:12):
It's been writing itself for the last year. Okay, so
we'll move on. That's just really good to know actually
that you know they are still fixing things, and it's
a good sign, not a bad sign.
Speaker 3 (08:22):
Go Patch, yep, yep, absolutely all right.
Speaker 1 (08:25):
Who wants this next one? It's a security advisory bulletin
forty seven? But what is it really?
Speaker 2 (08:31):
I do? But before we go into this, I think
if we had like a NERD sports team, we probably
would name them Patch, so we could say, go Patch,
Go Patch. Is that go Patch, right exactly? I don't
know what sport they would play? Chess maybe anyways, roller ball.
Speaker 1 (09:00):
I'm reading this security advisory bulletin and I have no
idea what the product is. All right, I got I
had the published date, I have the edit date, the vision,
the revision, a summary, A malicious actor with access to
the management network could execute a remote COUDE. What's the product.
Speaker 3 (09:16):
So here's here's the deal. Here's the deal.
Speaker 2 (09:17):
Like, so this is the Ubiquity Unify protect cameras. So
if you're running ubiquity, Ubiquity is an ecosystem, think like
Cisco forda net that sort of stuff fordin nets go
obsume anyways, but they're an ecosystem that has firewalls, they
have cameras, they have network switches, they have power distribution
(09:40):
units that you can control over the network. So an
entire network fabric including from firewall all the way down
to pen and tilt then zoom cameras and you know
four K cameras and license plate readers and door controllers
and elevator controllers and that sort of stuff. We actually
really do like ubiquity quite a bit. We have standardized
(10:01):
on it and on our discord there's actually a pretty
active conversation going on about setting up Unify, setting up
dream machines and that sort of stuff.
Speaker 3 (10:12):
And prominently in those discussions i'm sure is don't put
it on the internet and protect the network. So that's
a big diminishing factor in this ten score.
Speaker 2 (10:25):
Absolutely So what's interesting about this score is, first off,
so it says a malicious actor with access to the
management network. So the way when you implement a unify
like a dream machine or a switcher round or whatever,
there's a management network. All the devices talk to each
other on a management network by default. That's the first vllain, right,
and then you carve off your your production network VLAN,
(10:47):
your DMZ be whatever it is you're you're carving off.
This is something we would always recommend. Nobody should ever
be on that management network ever, right, And we've we've
there's no reason to have anything on that manage been
a network other than the devices themselves, the cameras or whatever.
So it would be weird for something else to get
to that management network. That would be hard only if
(11:09):
you've kind of misconfigured things, so you're absolutely right, or.
Speaker 3 (11:11):
Used a trivial password and it's a Wi Fi network.
Speaker 2 (11:14):
Yeah, and or you know. And even then, even if
you were to use a trivial network and it's a
Wi Fi network and somebody got on the Wi Fi,
they still would have to have access to the vland,
that is the management vland. So there again, if you
had created a wireless vland that only has access to
the Internet. Right at this point, this is a it's
not even exploitable, but it is. It is a ten
(11:35):
because it's can be exploited. It is a heat luff
or overflow on those cameras. What's interesting is the moment
this hit the wire It actually got posted in our
discord by one of one of our users had posted
it in discord. I think that was was it, Cliff
might have been Cliff. No, is that one one seventeen
(11:56):
had posted it. So the block picks that I got it.
I'm going to send one seventeen a lock pick set.
So he posted it in our in our server, and
then instantly, you know, obviously our security guys were like, wow,
we should check our cameras, and sure enough they had
already patched. So we had already you know, because we
have auto patching on all of them had already updated.
Speaker 1 (12:14):
So, you know, here's the thing I can't get over
about this. I never heard of ubiquity before. The name
ubiquity is nowhere on that advisory. I went to the homepage.
The name ubiquity is nowhere on the homepage except right
for the title of the website. Which I cannot copy
and paste.
Speaker 2 (12:30):
You have to be you have to be a fanboy.
I'm just saying, you gotta know, you gotta know. But
those are Ubiquity unified devices. Yeah, all the devices, by
the way, like fantastic suite of products. I like, my
house is decked out with Ubiquity cameras and all that
good stuff. Even to the point where anybody drives by
my house, not only does it categorize the vehicle, but
(12:52):
also records their license plate and has all like facial recognition.
I mean, there's there's a whole lot going away.
Speaker 1 (12:59):
To win friends and influence people.
Speaker 3 (13:01):
My favorite is the Ubiquity mind.
Speaker 2 (13:04):
So wait, I will tell you though, I will tell you.
At one point, there was an incident in my neighborhood
and it was a couple of doors down.
Speaker 3 (13:12):
It was a what new neighborhood? An incident in my neighborhood.
Speaker 1 (13:14):
Oh I remember, was this the guy that got arrested.
Speaker 2 (13:17):
For No, no, not that guy. That incident happened that's
on the side of the neighborhood. So there was an
incident in my neighborhood and the cops were called, and
it was a couple couple doors down and you know,
obviously it is late at night and whatnot. And my
neighbors go, oh, well, you know, my neighbor down the street,
a couple of doors down has a camera. You know,
(13:39):
maybe maybe they caught the culprit right going by? Okay,
And officer comes up into my office. He knocks on
the door at you know, midnight. He's say, can I
hear you got some cameras? Can we you know, camulate?
And I said yeah sure. He comes up to my
office and I have an eighty five inch TV on
the wall with all of the camera feeds up, and
I have my you do?
Speaker 3 (14:00):
He said, where's the meth lab?
Speaker 2 (14:02):
And I have I have? I have this fifty five
inch monitor in front of you, two side thirty two
inch monitors and I have the cameras up and I'm like, okay,
what are we looking for? And he's like, I think
it was a blue car and I narrowed down like
all blue cars. I'm like, all right, what kind are
we thinking? Sedan or what? What? What angle? And he's
like he's like, I have I haven't seen a setup
like this since I watched Iron Man, Like this is
(14:24):
this is this is impressive?
Speaker 1 (14:26):
So you type into your AI chat blue car possible.
Speaker 2 (14:30):
Sedan just just just pop up. Yeah, exactly.
Speaker 3 (14:34):
So as much as your your neighborhood sounds like a
hotbed of vice and tyranny, my bed is knowing your
actual neighborhood that the kerfuffle was somebody planted too much
rye grass. Yeah, pretty much and not enough Kentucky bent. Uh.
Speaker 2 (14:51):
I believe it's Kentucky blue.
Speaker 3 (14:53):
But yeah, yes, see, that's why I don't live in
that neighborhood. Not allowed. I failed the drab and not
that kind of grass test.
Speaker 2 (15:04):
Yeah. So anyways, there's my ubiquity story.
Speaker 1 (15:07):
All right, let's talk about the other IOSA Apple iOS
apple Patch used with the other.
Speaker 3 (15:14):
Well, they do travel in packs, don't they.
Speaker 1 (15:18):
Apple patches major security flaws in iOS and macOS platforms
pretty much their desktop and mobile devices. That's all of them,
isn't it.
Speaker 2 (15:29):
Yeah? Pretty much. I guess I can't think of anything else.
I maybe a Apple TV TV Apple probably might be
in there. I don't know. So this is iOS eighteen
dot five. So any of you were rolling auto updates
on your phone probably saw that. It was like, hey,
I need to update relatively soon. I'm watching Patrick as
(15:49):
he like sneakily tries to look at his phone. It
was a joke.
Speaker 3 (15:53):
Try joke.
Speaker 2 (15:55):
This is a bar of soap that I carved a
phone so that people can't steal it. So this uh,
this update says. The new iOS eighteen dot five update,
rolled out alongside patches for iPad o as critic fixed
critical bugs in the Apple Jpeg and core media pieces
(16:18):
of the software. And if you continue to read down,
it looks like you have the ability to well, there's
actually a couple of interesting flaws in here you probably
heard about. There's a webkitflaw this was actually patched in here.
But there was also a code execution bug in here
as well that was fixed. There's a bunch of different
(16:39):
things that are fixed in here under several cvees. But
let me just read some of these cvees out. First off,
the company patched a serious mute button flaw in FaceTime.
Oh no, that exposes the audio conversation even remuting the mic.
So talk to you.
Speaker 1 (16:57):
Person, is your husband's coming up the driveway? Your clothes on?
And then yeah, just.
Speaker 2 (17:08):
Are you for imprint? Certainly, so that one might be important.
Speaker 1 (17:17):
That could be embarrassing, not incredibat.
Speaker 2 (17:22):
Right, but then they fixed a couple of memory corruption issues,
some m DNS responder issues. So m DNS is you
all know what DNS is? Right?
Speaker 1 (17:32):
Yes? Well right, we assume everybody has because they've all
listened to all of the security this week's show, including
the early ones where we explained it.
Speaker 2 (17:42):
M DNS. Think of it as more of like a
dynamic DNS like I put a device on Actually, this
happens a lot with things like raspberry pies. Put them
on your network, they broadcast their name, right, and then
the network when I go to raspberry Pie on local,
it just automatically connects to it. Yep, to this. So
there was a flaw on those as well. So needless
(18:03):
to say, if you haven't got auto patch on, which
I know Patrick does, but if you haven't turn on
auto patching and go patch your Apple before.
Speaker 3 (18:12):
I still have Lockdown running on my phone. Yeah, last
man standing, I'll be in the country.
Speaker 1 (18:17):
That was Patrick's first security podcast.
Speaker 3 (18:20):
Yeah, oh that's right, it was, and I had a
product that we developed that was called Lockdown for a
little while.
Speaker 2 (18:27):
It's the name I like, right, I know. Yeah, Yeah,
that was with Michelle.
Speaker 1 (18:31):
Michelle Larubus de Monte. Yeah, one of the coolest things
I ever did with d NS, and I've been messing
with it ever since, you know, whenever the nineties. All right,
So is that I have this. I don't need to
go into it, but I basically have a machine on
my mantle with a big monitor that cycles random photos
(18:53):
from my life, right, and I wrote the app and
I wanted to give a DNS name to a local,
non routable, local host kind of thing address, and you
can do that, and I registered it with DNS. So
you go to DNS to whatever your name is, dot com.
(19:16):
It routes to you know, seven zero zero one or not,
you know, just a local IP address, right, ten, ten,
forty five, ninety whatever.
Speaker 3 (19:26):
Non routable address, nonroutable, but.
Speaker 1 (19:28):
It still works. Yeah, then nobody else is going to
hit that because it's non routable. So if they have
if they have that IP address locally and it's running something,
then congrats to them.
Speaker 3 (19:40):
It'll hit that, it'll hit that, it won't hit it
won't reach across the interwebs.
Speaker 1 (19:45):
But it will at least resolve the name, which exactly
so cool. Yeah, yeah, all right, so the you know
more of the story patch.
Speaker 3 (19:53):
Patch never heard that the word patch is in the
next title.
Speaker 2 (20:00):
Oh my gosh.
Speaker 1 (20:00):
Yeah, but wait, we're gonna wait until we take a
break until we read that. Say stay tuned, Yeah, stay tuned,
I said tombed to stay.
Speaker 2 (20:09):
In tomed Okay. In fact, we're back.
Speaker 1 (20:17):
It's security this week. I'm Carl It's domain and Patrick
and uh more in the Hacker News. Sam Sun patches
CVE twenty five four six three two used to deploy.
I don't know how to say this, but.
Speaker 3 (20:31):
Miai Marai Marai, Marah Marai. But that very famous botnet
aud for a while mad The source code got released
at one point.
Speaker 1 (20:42):
Via magic Info nine exploit.
Speaker 2 (20:45):
Yeah.
Speaker 3 (20:45):
Yeah, so Maria is a botnet that was very prolific
in the early rise of botnets, and then they got hacked.
Speaker 2 (20:56):
I think one of.
Speaker 3 (20:56):
Their their people became less gruntled and posted the source code,
and then as a result, they kind of went dormant,
and then it emerged again because everybody had the source code,
so a lot of variants started to pop up that
were based on the Marai code. I don't know who's
(21:16):
operating this version, but basically the thing about the eye
is It's got a lot of different ways to infect
through a lot of different factors, and so this is
one of them is being patched so that Samsung devices
aren't vulnerable through this vent this pathway.
Speaker 2 (21:35):
Yeah, and to make sure we're clear on what types
of sam as, everybody like stumps on their Samsung poon
And this is the Samsung Magic Info nine server. So
you ever walked down Times Square and you see all
of those signs, digital signs displaying stuff in New York,
probably run by a Samsung Magic nine server, so they
(21:57):
run digital signage. What's interesting what about digital signage is
there are companies that we have breached and stayed persistent
through their signs. So they may have a sign that
welcomes people to the organization. They may have a sign
that's in their cafeteria that displays the you know, items
for purchase and that sort of stuff. And it's a
(22:18):
great place for us to once we breach a network
store code that reaches out to us periodically because no
one checks it and gives us access and gives us access. Yeah,
because nobody's going to check it. Nobody's gonna did you go.
Speaker 1 (22:30):
To sign for four oh one dot Samsung Dot com
to hit that local.
Speaker 2 (22:36):
I did, I did, Yeah, and it works. It works awesome.
Speaker 1 (22:40):
That's awesome.
Speaker 2 (22:42):
So needless to say, if you're running the Magic Info
nine server, you do absolutely want to go patch. Samsung
has some recommendations on how to do this, but the
flaw here is a path traversal flaw.
Speaker 1 (22:55):
Ahm.
Speaker 3 (22:57):
It allows the attackers to write arbitrary files as system authority.
Speaker 2 (23:01):
Right right, and then your signs too, could be used
in a botnet todd us somebody else on the internet,
and they probably already are problem one. This is a
This is a big problem because most people have been
trained to patch their systems and their phones, but the
whole IoT world and device world, refrigerators, thermostats, that stuff
(23:23):
almost never gets looked at. Again.
Speaker 3 (23:24):
Yeah, and you need a plan for that if you're
gonna if you're gonna have twenty plus they say that.
I heard a stat today. Twenty one is the average
number of smart devices in the averager whos home. And
that's twenty one devices that are not getting patched.
Speaker 2 (23:38):
All right, I'm checking. I'm checking my house right now.
I can tell you I am running probably more than
we am running, a lot more than twenty one I
have forty eight devices online right now, so.
Speaker 1 (23:48):
I'm checking your house too, forty two.
Speaker 3 (23:52):
If you can. If you can check how many that way,
you can probably patch them all.
Speaker 2 (23:56):
Yeah, you should.
Speaker 1 (23:58):
Offer a challenge to the to the the guys and
the discord server. If you can tell me how many
devices I'm running in my home, then you can come
and work for us.
Speaker 2 (24:09):
Right there you go. No, we learned a long time
ago not to provoke hackers.
Speaker 1 (24:19):
All right, all right, my favorite company, Fortinet, is back
in the news.
Speaker 3 (24:25):
They we used to use their piet firewalls and we did. Yeah, yeah,
until we didn't, so they started making the news every episode.
Speaker 1 (24:35):
So this is an exploit in forty voice systems. All
of their products start with fourty f O r T
I yep, so forty forty voice systems. So it's a
zero day r C flow. What happened here?
Speaker 2 (24:48):
So this this issue is very similar to what we
were just talking about with Ubiquity, Right. So Fortinet has
the same sort of ecosystem where they have a you know,
mail routers and servers, and they have voice recorders and
they have all sorts of you know, camera servers that
sort of stuff. So they have devices for all of these.
(25:09):
And here again this is also oddly a stack based overflow,
very similar to what was happening on the Ubiquity camera systems.
And this, you're absolutely right, is an exploit for Ford
to Voice, Ford to Mail, Florida, NDR, FORDA recorder, and
forty camera. So if you're running any of those particular devices,
(25:30):
there's a remote, unauthenticated attacker path to execute arbitrary code
by an AHB request.
Speaker 1 (25:38):
So do we have to throw it in the ford
A trash bin.
Speaker 2 (25:41):
Or forty get it?
Speaker 3 (25:44):
You could, but it's it's down for patching.
Speaker 2 (25:47):
Yeah, okay, I'm sorry. Yeah, So you absolutely are gonna
want to go out and patch this one. What's interesting
about this, Like the Ubiquity one we talked about listen,
that's if you have access to the manment network, and
if implemented properly, there's no way you get access to
that management network in this particular one. There's no sort
(26:09):
of designation as to how you would have access to this.
So my guess is as long as you can get
to the HTP interface on any of those devices, you're
probably susceptible.
Speaker 3 (26:20):
My bet is this is a chassis that they run
everything on. And what's interesting is it's not the Fortinet firewall, right,
and we really haven't seen the Fortinet firewall in a
lot of these news items. So you know, Fortinet to
me is not known for voice systems or mail systems
or recorder or camera. That's not what they were known for.
(26:43):
So you got to be careful when companies branch out
into other areas.
Speaker 1 (26:48):
Yep, yes, yes, yes, I could say something evil, but
I'm not going to. But you're right, you just have
to be careful.
Speaker 3 (26:57):
Not yet, I'm sure you'll say something evil eventually.
Speaker 1 (27:00):
Well, yeah, after we record. All right, So China is
in the news again. Who knew China based hack targets
UK companies in critical national security threat? So last week
we talked about MNS and Herod's and so unlike those attacks,
(27:23):
this incident was not ransomware but rather remote code execution.
Speaker 2 (27:32):
Yeah, this is this is tough. Really, the UK can't
and they've from they've been I know, right.
Speaker 3 (27:37):
They can't catch a break. Well, they did get a
trade trade deal with US.
Speaker 1 (27:41):
Yeah, but we can't send them our tainted meat. They
don't want it. They don't want chlorinated hormone laden with them.
Speaker 3 (27:53):
That American tainted meat was great American taint.
Speaker 2 (27:59):
So this is this was this is a family show,
I thought after that iPhone mute story, maybe not, but
so so this one has seems to do with the
SAP NetWeaver product, and NetWeaver was in the news this week.
(28:20):
Let me see if I can do.
Speaker 3 (28:22):
It's a patched it is a patched problem.
Speaker 2 (28:25):
So yeah, same, yep, absolutely so it is a patch problem.
But the problem is, I mean, every once in a
while somebody is going to find an exploit and it's
not patched. And this is where good architecture and networking
making sure end points that don't need to be accessible
on the Internet are not. We talked about this with
the Ubiquity making sure that those the management plane is
(28:46):
not accessible to the general users on a wireless for example.
So yeah, absolutely, Patrick, I agree with you. Patch always
automatically if you can, but if you can't, good architecture
can save you if you do things right. So, for example,
if the SAP net weaver interface doesn't need to be
accessible to the gen Gen pop, if you will, then
(29:06):
you know, maybe you locked that down.
Speaker 3 (29:08):
Several companies were actually hit by this, including k Dent
News UK euro garages and are are I can't say
that ard ug metal. That sounds like you say just
as you're shot or story dais tant Danish?
Speaker 2 (29:31):
Now this was zero day vulnerability, by the way, so this,
you know, yeah, patching wouldn't have potentially helped you on this.
Speaker 3 (29:41):
That's a that's a valuable thing to spend at this time.
Oh absolutely, so I wonder what caused China to use that,
because you don't spend those lightly because once they're gone.
Now it's patched, right right right? Absolutely? Uh interesting.
Speaker 2 (29:57):
I'm sure we will hear more about this as we go.
Speaker 1 (29:59):
For Duyne. You're sure you don't have a house in
the UK.
Speaker 2 (30:02):
I don't know what you're talking about. I can't confirm
nor deny his own name.
Speaker 1 (30:06):
Yeah, exactly, all right, so we're done with this one, right.
Speaker 2 (30:09):
Yes we are, Yes, okay, catch patch.
Speaker 1 (30:12):
So now this has nothing to do with a.
Speaker 3 (30:14):
Patch only non patch story.
Speaker 1 (30:16):
The only start we actually have that doesn't have to
do with patching, but it does involve Siri, that Apple
assistant spying on people, and they know it did because
they're settling with a class action suit for ninety five
million dollars. And you too can submit your claims to
(30:37):
get your ninety dollars out of it.
Speaker 3 (30:39):
Nine hundred and fifty thousand people can get one hundred
dollars if approved.
Speaker 2 (30:47):
The settlement pays out a cap of twenty dollars per device.
Speaker 3 (30:51):
So you have to have five devices.
Speaker 2 (30:53):
You have to have five devices to get the even
to get the maximum, maybe to get twenty bucks.
Speaker 1 (30:57):
Yeah, and so I didn't read the details, But how
do you actually prove that you've been spied on unless
you have the copy that Siri recorded from you, and.
Speaker 3 (31:10):
You have to upload some nudes and then they'll compare them.
Speaker 2 (31:17):
Yep, that's you. Here's your twenty bus thank you very much.
Speaker 1 (31:20):
Intelligence is starting them out. I'm sure.
Speaker 2 (31:23):
Yeah, that's an interesting question, Carl, because when I was
reading through this, it definitely was said if you had
There was a portion of it that said, if you
had private conversations with sensitive data during this time frame
with a Syrian enabled device near you will pay you.
Speaker 1 (31:46):
How can you prove it?
Speaker 3 (31:47):
And I don't know how you prove that. I don't know.
I think you just apply the thing about these these
are go away settlements. This is like, you know what,
we're not stipulating, we're not admitting any fault, but we're
going to pay this, so you can just go away
and then but then it's over. No one can come
back later on and sue separately. So it basically is
(32:09):
just a way to say, for those ten years, no
one can complain about Siri again because we already paid
our ninety five million, right, right, So.
Speaker 1 (32:15):
Do you just say, yes, I was talking with blah
blah blah, and to make up a story and it
you know, I just don't understand.
Speaker 3 (32:23):
My bet is you have to make up a convincing
story to submit and they'll probably audit like point zero
one percent, and they'll maybe they'll prosecute you for fraud
if you're one of the liars. I don't know.
Speaker 2 (32:35):
Heard.
Speaker 3 (32:38):
I never really play. I've never played in this space
with the class action lawsuits. Just the money's not there.
Speaker 1 (32:46):
Yeah, Well, you.
Speaker 3 (32:47):
Know who makes a lot of money off of these
the lawyer who the law firm that does this, of course,
because there's probably one hundred and ninety million dollar claim.
It's just that one hundred million dollars? Is that as lawyers?
Speaker 2 (33:00):
Right? Yeah?
Speaker 1 (33:02):
I mean you get these remember letters that you get
in the mail that weren't junk mail like I get.
I used to get letters about class action lawsuits. Yeah,
and when you read the fine print, you know you
can submit your claim or whatever. But you read the
fine print, it's pennies.
Speaker 3 (33:16):
You get like twenty bucks.
Speaker 1 (33:18):
It's like why, But they're doing it just because they
they have to show that they're giving everybody the option
to collect, right, even though it's costing them more in
postage than anybody.
Speaker 2 (33:30):
Will actually core.
Speaker 1 (33:31):
Right, Yeah, right, yeah, that's ridiculous. Litigious society, ridiculous, ridiculous,
ridiculous and all that.
Speaker 3 (33:40):
It's almost an immunizing play for Apple now because now
that this lawsuits out, nobody can sue for that time period, right,
so you know the worst is over there. But now
for twenty twenty five, if you find that they're they've
got bugs material bugs in this space, that could be
another lossuit.
Speaker 2 (34:00):
I would love to read through this and figure out
how they found out. Was it like Carl Patrick and
I were during that time talking about nuking a small country,
and then I could add about nukes or something like
like how do you discover.
Speaker 1 (34:15):
Maybe you know I told you something unbelievably. You said,
are you serious? And I said yeah, I'm serious, And
then Siri started listening because.
Speaker 3 (34:24):
Part of this was them passing the recordings to third
party quality control contractors. So you know, you know the
old saying three people can keep a secret of two
of them are dead.
Speaker 2 (34:35):
And one of them is not a quality control contractor,
and you imagine being one of the QC guys for that. God,
I listened to so many private conversations every day.
Speaker 3 (34:44):
Exactly crazy whistle blower. Probably, if I had to guess,
it was probably a whistleblower.
Speaker 2 (34:49):
Oof.
Speaker 1 (34:52):
Well, next week, I'm going to be a build.
Speaker 2 (34:55):
I'm nice and sweet.
Speaker 1 (34:56):
I'm not sure. I think we can probably arrange the record.
I'm pretty sure we can, but just be aware that
everybody might be really crazy busy. Yep, so it might
be late. I don't know. We'll see find out on Discord.
Go to Discord dot security this week dot com join
the club. We'll see you out there.
Speaker 3 (35:16):
Bye bye, Thanks everybody.
Speaker 2 (35:18):
Bye,
So guys, a middle aged man is lying in a
hospital bed. A nurse comes in and says, I'm sorry,
but your wife has signed a DNR order. Oh now,
that's not dot net rocks, that's do not resuscitate. And
he says, but I'm only here for a sprain ankle.
(00:21):
The nurse says, unfortunately, she insisted, Okay, well that's security
this week. I'm Carl Franklin, and that's Dwayne Laflotte, Patrick Hines.
I am the one who's out of town. I'm in
(00:43):
Dallas right now. But the show must go on. So
we have our eight stories, and starting with leaving computer
Cisco fixes max severity, IOSXE flaw letting, attackers hijack devices.
That is some serious acronym soup right there.
Speaker 2 (01:04):
Somebody helped me, right, I know. Yeah. So for those
of you who don't don't know what Cisco is, it's odd.
So Cisco the backbone of the Internet, right routers, which
is all sorts of really high end networking devices for
and used on most of the fabric of the Internet. Honestly,
the catalyst ninety six hundreds, ninety five hundred eight hundreds.
(01:28):
You know, we're talking about these as wireless controllers. But
there's a lot of really like a lot of data
goes through Cisco every every day. What I always found
odd is you see this and it says max severity
vulnerability found in iOS, right, which seems weird. Hey, heads up?
iOS was actually it was actually used by Cisco before
(01:51):
it was used by Apple.
Speaker 3 (01:52):
I'm shocked they didn't sue them. See Apple, isn't that weird?
Speaker 2 (01:56):
I always thought it was weird too because I was
a Cisco firewall administrator and I remember remember you know,
we talked iOS. It was always that Cisco's operating system, right,
no kidding. Then Apple came out and was like, yeah,
it's iOS, and we're like, wait a second.
Speaker 1 (02:08):
Well, the difference is it's an uppercase.
Speaker 2 (02:11):
I exactly apparently sensitive. I wonder if you did try
and trademark something with SQL injection, if that would anyways continue.
Speaker 1 (02:26):
Hard evil evil?
Speaker 3 (02:28):
So is this reminiscent of the log four j only
that it's it's it wasn't that also a Jason web tooken?
Speaker 2 (02:34):
Yes? Yeah, absolutely, yeah, So it's very similar. And we
see this. We see this a lot in any sort
of uh XML serialization Jason serialization attack where you can
put special characters inside of a payload, right a Jason
or an XML and have it unpacked, and then they
(02:57):
try and create objects from it and loan behold. You know,
you run into all sorts of issues. So, according to this,
an attacker who successfully sends a specific a specifically crafted
HTTPS request to the AP image download interface would be
able to execute code as root on the derived device,
(03:19):
allowing full device takeover. It still surprises me that there
are endpoints you can access that are running under privileged accounts.
Yeah right. It makes no sense to me why a
demon or a service or whatever are running under root
or system level privilege.
Speaker 3 (03:38):
Because demons are evil, especially those with that authorization.
Speaker 2 (03:44):
You know. I don't know how you guys pronounce it.
I always pronounce a demon. I've heard a lot of
people call it damon, but I like demon better because
you know Linux, right.
Speaker 1 (03:52):
I used to. I used to run an email server
called m Damon. Yeah, and then all came out with
Goodwill hunting.
Speaker 2 (03:58):
And that was then you just couldn't. You couldn't use
them anymore.
Speaker 1 (04:02):
No, I couldn't.
Speaker 2 (04:03):
Yeah, right, go to Gmail. On that note, if you
are running a Catalyst ninety eight hundred cl cloud wireless controller,
a ninety hundred embedded wireless controller, or a catalyst ninety
three hundred, ninety four hundred, ninety five hundred. Really any catalysts,
go out and make sure you are patched.
Speaker 1 (04:21):
Patch Patch Patch.
Speaker 2 (04:22):
That's okay a theme this week, by the way.
Speaker 1 (04:24):
Yes, I was just gonna say, because speaking of patch,
that show patch show.
Speaker 2 (04:31):
If you've got technology, go patch it.
Speaker 1 (04:33):
Right and we're done, So patch Tuesday.
Speaker 3 (04:36):
When they say image download, do we know if that's
the like firmware image or like a picture image.
Speaker 2 (04:43):
No, no, no, I believe that's a firmware image.
Speaker 3 (04:46):
That's why I say. That's why I thought, yeah, because
that's also it's like, why would you let them download
the firmware in the first place. I understand why that
would be privileged.
Speaker 2 (04:57):
Yeah, I mean so sometimes sometimes it has to do
with backing up the firmware that's on that particular device something.
Speaker 1 (05:05):
Only if you really want to be convenient, you'd have
an endpoint that updates the firmware just by calling it.
Speaker 3 (05:12):
That's right, right, Yeah, I think that's what this is.
Speaker 1 (05:16):
Yeah, how stupid is that?
Speaker 3 (05:20):
I just want to clarify when they say image they're
not talking about selfies.
Speaker 1 (05:23):
Uh no, okay. Microsoft May twenty twenty five Patch Tuesday
fixes five count them five exploited zero days and seventy
two flaws. Good on your Microsoft.
Speaker 3 (05:34):
It's just another Tuesday.
Speaker 1 (05:36):
It's just another Tuesday.
Speaker 2 (05:38):
I love it. We just throw away zero like, ah, yeah,
there were five zero.
Speaker 1 (05:41):
Is five zero days.
Speaker 2 (05:43):
It used to be used to be they were like.
Speaker 3 (05:45):
Well exploited zero days. We remember we talked about this
a little bit that it's getting closer and closer. We're
seeing less and less air daylight between when they're discovered
and when they're exploited. My bed is that these were
covered and then they've they got an exploit out in
the wild before they got a patch ready for it.
Speaker 2 (06:07):
Right, sure, yep, yep, absolutely yeah, and Microsoft would know.
You know, It's funny. A lot of people ask me, like,
what's the best sort of endpoint detection system that can
pick up viruses and that sort of stuff, And I
always it sounds weird, but I'm always I always say Defender,
and people are like, well, that's that's weird. Microsoft Defender.
I mean, Defender's always been you know, Microsoft, It's never
been the top of the charts, and I'm like, who
(06:28):
else on Windows should know what's running on Windows?
Speaker 1 (06:32):
Right?
Speaker 2 (06:32):
Probably Microsoft?
Speaker 3 (06:34):
They got religion about that. It's really a great product now.
Speaker 1 (06:38):
And since Windows XP Service Pack one or.
Speaker 2 (06:41):
Two, yep, yep, Windows ninety five. Who anyways, Oh yeah,
that was the wild bless the best, the best of
the best, Windows Bob. All right, So seventy two flaws.
What I love also is a lot of times in
patch Tuesdays now they say, hey, there's seventy two security flaws. Yeah, right,
(07:03):
seventeen prev asks, two bypasses, twenty eight rcees, twenty eighteen
information disclosers, seven denials, and two spoofing vulnerabilities. No, by
the way, there's a couple of other things we fixed.
If you want that, you can go read the subnotes.
Now it's the security Tuesday patch, not just the patches.
Speaker 1 (07:24):
I really hope in this age of layoffs, that Microsoft
doesn't lay off their security people. Oh my god, you know,
can you imagine if Patch Tuesday was like we fixed
five patches, it.
Speaker 2 (07:35):
Was oh no, yeah, that's when you know, Carl, that's
what that'll be. The litmus test is when we only see, yeah,
one thing fixed this week guys. They're like, hey, no, Patches.
Speaker 3 (07:49):
I saw something with Microsoft was saying thirty percent of
their code is now being written by AI. No really
something along those lines.
Speaker 1 (07:57):
So you know, well there are some people you might
catch rises AI.
Speaker 2 (08:01):
Yeah, that's true, right, I think it would be ironic
if the thirty was written by chatch ept.
Speaker 3 (08:06):
But anyway, God of Chatty.
Speaker 1 (08:12):
It's been writing itself for the last year. Okay, so
we'll move on. That's just really good to know actually
that you know they are still fixing things, and it's
a good sign, not a bad sign.
Speaker 3 (08:22):
Go Patch, yep, yep, absolutely all right.
Speaker 1 (08:25):
Who wants this next one? It's a security advisory bulletin
forty seven? But what is it really?
Speaker 2 (08:31):
I do? But before we go into this, I think
if we had like a NERD sports team, we probably
would name them Patch, so we could say, go Patch,
Go Patch. Is that go Patch, right exactly? I don't
know what sport they would play? Chess maybe anyways, roller ball.
Speaker 1 (09:00):
I'm reading this security advisory bulletin and I have no
idea what the product is. All right, I got I
had the published date, I have the edit date, the vision,
the revision, a summary, A malicious actor with access to
the management network could execute a remote COUDE. What's the product.
Speaker 3 (09:16):
So here's here's the deal. Here's the deal.
Speaker 2 (09:17):
Like, so this is the Ubiquity Unify protect cameras. So
if you're running ubiquity, Ubiquity is an ecosystem, think like
Cisco forda net that sort of stuff fordin nets go
obsume anyways, but they're an ecosystem that has firewalls, they
have cameras, they have network switches, they have power distribution
(09:40):
units that you can control over the network. So an
entire network fabric including from firewall all the way down
to pen and tilt then zoom cameras and you know
four K cameras and license plate readers and door controllers
and elevator controllers and that sort of stuff. We actually
really do like ubiquity quite a bit. We have standardized
(10:01):
on it and on our discord there's actually a pretty
active conversation going on about setting up Unify, setting up
dream machines and that sort of stuff.
Speaker 3 (10:12):
And prominently in those discussions i'm sure is don't put
it on the internet and protect the network. So that's
a big diminishing factor in this ten score.
Speaker 2 (10:25):
Absolutely So what's interesting about this score is, first off,
so it says a malicious actor with access to the
management network. So the way when you implement a unify
like a dream machine or a switcher round or whatever,
there's a management network. All the devices talk to each
other on a management network by default. That's the first vllain, right,
and then you carve off your your production network VLAN,
(10:47):
your DMZ be whatever it is you're you're carving off.
This is something we would always recommend. Nobody should ever
be on that management network ever, right, And we've we've
there's no reason to have anything on that manage been
a network other than the devices themselves, the cameras or whatever.
So it would be weird for something else to get
to that management network. That would be hard only if
(11:09):
you've kind of misconfigured things, so you're absolutely right, or.
Speaker 3 (11:11):
Used a trivial password and it's a Wi Fi network.
Speaker 2 (11:14):
Yeah, and or you know. And even then, even if
you were to use a trivial network and it's a
Wi Fi network and somebody got on the Wi Fi,
they still would have to have access to the vland,
that is the management vland. So there again, if you
had created a wireless vland that only has access to
the Internet. Right at this point, this is a it's
not even exploitable, but it is. It is a ten
(11:35):
because it's can be exploited. It is a heat luff
or overflow on those cameras. What's interesting is the moment
this hit the wire It actually got posted in our
discord by one of one of our users had posted
it in discord. I think that was was it, Cliff
might have been Cliff. No, is that one one seventeen
(11:56):
had posted it. So the block picks that I got it.
I'm going to send one seventeen a lock pick set.
So he posted it in our in our server, and
then instantly, you know, obviously our security guys were like, wow,
we should check our cameras, and sure enough they had
already patched. So we had already you know, because we
have auto patching on all of them had already updated.
Speaker 1 (12:14):
So, you know, here's the thing I can't get over
about this. I never heard of ubiquity before. The name
ubiquity is nowhere on that advisory. I went to the homepage.
The name ubiquity is nowhere on the homepage except right
for the title of the website. Which I cannot copy
and paste.
Speaker 2 (12:30):
You have to be you have to be a fanboy.
I'm just saying, you gotta know, you gotta know. But
those are Ubiquity unified devices. Yeah, all the devices, by
the way, like fantastic suite of products. I like, my
house is decked out with Ubiquity cameras and all that
good stuff. Even to the point where anybody drives by
my house, not only does it categorize the vehicle, but
(12:52):
also records their license plate and has all like facial recognition.
I mean, there's there's a whole lot going away.
Speaker 1 (12:59):
To win friends and influence people.
Speaker 3 (13:01):
My favorite is the Ubiquity mind.
Speaker 2 (13:04):
So wait, I will tell you though, I will tell you.
At one point, there was an incident in my neighborhood
and it was a couple of doors down.
Speaker 3 (13:12):
It was a what new neighborhood? An incident in my neighborhood.
Speaker 1 (13:14):
Oh I remember, was this the guy that got arrested.
Speaker 2 (13:17):
For No, no, not that guy. That incident happened that's
on the side of the neighborhood. So there was an
incident in my neighborhood and the cops were called, and
it was a couple couple doors down and you know,
obviously it is late at night and whatnot. And my
neighbors go, oh, well, you know, my neighbor down the street,
a couple of doors down has a camera. You know,
(13:39):
maybe maybe they caught the culprit right going by? Okay,
And officer comes up into my office. He knocks on
the door at you know, midnight. He's say, can I
hear you got some cameras? Can we you know, camulate?
And I said yeah sure. He comes up to my
office and I have an eighty five inch TV on
the wall with all of the camera feeds up, and
I have my you do?
Speaker 3 (14:00):
He said, where's the meth lab?
Speaker 2 (14:02):
And I have I have? I have this fifty five
inch monitor in front of you, two side thirty two
inch monitors and I have the cameras up and I'm like, okay,
what are we looking for? And he's like, I think
it was a blue car and I narrowed down like
all blue cars. I'm like, all right, what kind are
we thinking? Sedan or what? What? What angle? And he's
like he's like, I have I haven't seen a setup
like this since I watched Iron Man, Like this is
(14:24):
this is this is impressive?
Speaker 1 (14:26):
So you type into your AI chat blue car possible.
Speaker 2 (14:30):
Sedan just just just pop up. Yeah, exactly.
Speaker 3 (14:34):
So as much as your your neighborhood sounds like a
hotbed of vice and tyranny, my bed is knowing your
actual neighborhood that the kerfuffle was somebody planted too much
rye grass. Yeah, pretty much and not enough Kentucky bent. Uh.
Speaker 2 (14:51):
I believe it's Kentucky blue.
Speaker 3 (14:53):
But yeah, yes, see, that's why I don't live in
that neighborhood. Not allowed. I failed the drab and not
that kind of grass test.
Speaker 2 (15:04):
Yeah. So anyways, there's my ubiquity story.
Speaker 1 (15:07):
All right, let's talk about the other IOSA Apple iOS
apple Patch used with the other.
Speaker 3 (15:14):
Well, they do travel in packs, don't they.
Speaker 1 (15:18):
Apple patches major security flaws in iOS and macOS platforms
pretty much their desktop and mobile devices. That's all of them,
isn't it.
Speaker 2 (15:29):
Yeah? Pretty much. I guess I can't think of anything else.
I maybe a Apple TV TV Apple probably might be
in there. I don't know. So this is iOS eighteen
dot five. So any of you were rolling auto updates
on your phone probably saw that. It was like, hey,
I need to update relatively soon. I'm watching Patrick as
(15:49):
he like sneakily tries to look at his phone. It
was a joke.
Speaker 3 (15:53):
Try joke.
Speaker 2 (15:55):
This is a bar of soap that I carved a
phone so that people can't steal it. So this uh,
this update says. The new iOS eighteen dot five update,
rolled out alongside patches for iPad o as critic fixed
critical bugs in the Apple Jpeg and core media pieces
(16:18):
of the software. And if you continue to read down,
it looks like you have the ability to well, there's
actually a couple of interesting flaws in here you probably
heard about. There's a webkitflaw this was actually patched in here.
But there was also a code execution bug in here
as well that was fixed. There's a bunch of different
(16:39):
things that are fixed in here under several cvees. But
let me just read some of these cvees out. First off,
the company patched a serious mute button flaw in FaceTime.
Oh no, that exposes the audio conversation even remuting the mic.
So talk to you.
Speaker 1 (16:57):
Person, is your husband's coming up the driveway? Your clothes on?
And then yeah, just.
Speaker 2 (17:08):
Are you for imprint? Certainly, so that one might be important.
Speaker 1 (17:17):
That could be embarrassing, not incredibat.
Speaker 2 (17:22):
Right, but then they fixed a couple of memory corruption issues,
some m DNS responder issues. So m DNS is you
all know what DNS is? Right?
Speaker 1 (17:32):
Yes? Well right, we assume everybody has because they've all
listened to all of the security this week's show, including
the early ones where we explained it.
Speaker 2 (17:42):
M DNS. Think of it as more of like a
dynamic DNS like I put a device on Actually, this
happens a lot with things like raspberry pies. Put them
on your network, they broadcast their name, right, and then
the network when I go to raspberry Pie on local,
it just automatically connects to it. Yep, to this. So
there was a flaw on those as well. So needless
(18:03):
to say, if you haven't got auto patch on, which
I know Patrick does, but if you haven't turn on
auto patching and go patch your Apple before.
Speaker 3 (18:12):
I still have Lockdown running on my phone. Yeah, last
man standing, I'll be in the country.
Speaker 1 (18:17):
That was Patrick's first security podcast.
Speaker 3 (18:20):
Yeah, oh that's right, it was, and I had a
product that we developed that was called Lockdown for a
little while.
Speaker 2 (18:27):
It's the name I like, right, I know. Yeah, Yeah,
that was with Michelle.
Speaker 1 (18:31):
Michelle Larubus de Monte. Yeah, one of the coolest things
I ever did with d NS, and I've been messing
with it ever since, you know, whenever the nineties. All right,
So is that I have this. I don't need to
go into it, but I basically have a machine on
my mantle with a big monitor that cycles random photos
(18:53):
from my life, right, and I wrote the app and
I wanted to give a DNS name to a local,
non routable, local host kind of thing address, and you
can do that, and I registered it with DNS. So
you go to DNS to whatever your name is, dot com.
(19:16):
It routes to you know, seven zero zero one or not,
you know, just a local IP address, right, ten, ten,
forty five, ninety whatever.
Speaker 3 (19:26):
Non routable address, nonroutable, but.
Speaker 1 (19:28):
It still works. Yeah, then nobody else is going to
hit that because it's non routable. So if they have
if they have that IP address locally and it's running something,
then congrats to them.
Speaker 3 (19:40):
It'll hit that, it'll hit that, it won't hit it
won't reach across the interwebs.
Speaker 1 (19:45):
But it will at least resolve the name, which exactly
so cool. Yeah, yeah, all right, so the you know
more of the story patch.
Speaker 3 (19:53):
Patch never heard that the word patch is in the
next title.
Speaker 2 (20:00):
Oh my gosh.
Speaker 1 (20:00):
Yeah, but wait, we're gonna wait until we take a
break until we read that. Say stay tuned, Yeah, stay tuned,
I said tombed to stay.
Speaker 2 (20:09):
In tomed Okay. In fact, we're back.
Speaker 1 (20:17):
It's security this week. I'm Carl It's domain and Patrick
and uh more in the Hacker News. Sam Sun patches
CVE twenty five four six three two used to deploy.
I don't know how to say this, but.
Speaker 3 (20:31):
Miai Marai Marai, Marah Marai. But that very famous botnet
aud for a while mad The source code got released
at one point.
Speaker 1 (20:42):
Via magic Info nine exploit.
Speaker 2 (20:45):
Yeah.
Speaker 3 (20:45):
Yeah, so Maria is a botnet that was very prolific
in the early rise of botnets, and then they got hacked.
Speaker 2 (20:56):
I think one of.
Speaker 3 (20:56):
Their their people became less gruntled and posted the source code,
and then as a result, they kind of went dormant,
and then it emerged again because everybody had the source code,
so a lot of variants started to pop up that
were based on the Marai code. I don't know who's
(21:16):
operating this version, but basically the thing about the eye
is It's got a lot of different ways to infect
through a lot of different factors, and so this is
one of them is being patched so that Samsung devices
aren't vulnerable through this vent this pathway.
Speaker 2 (21:35):
Yeah, and to make sure we're clear on what types
of sam as, everybody like stumps on their Samsung poon
And this is the Samsung Magic Info nine server. So
you ever walked down Times Square and you see all
of those signs, digital signs displaying stuff in New York,
probably run by a Samsung Magic nine server, so they
(21:57):
run digital signage. What's interesting what about digital signage is
there are companies that we have breached and stayed persistent
through their signs. So they may have a sign that
welcomes people to the organization. They may have a sign
that's in their cafeteria that displays the you know, items
for purchase and that sort of stuff. And it's a
(22:18):
great place for us to once we breach a network
store code that reaches out to us periodically because no
one checks it and gives us access and gives us access. Yeah,
because nobody's going to check it. Nobody's gonna did you go.
Speaker 1 (22:30):
To sign for four oh one dot Samsung Dot com
to hit that local.
Speaker 2 (22:36):
I did, I did, Yeah, and it works. It works awesome.
Speaker 1 (22:40):
That's awesome.
Speaker 2 (22:42):
So needless to say, if you're running the Magic Info
nine server, you do absolutely want to go patch. Samsung
has some recommendations on how to do this, but the
flaw here is a path traversal flaw.
Speaker 1 (22:55):
Ahm.
Speaker 3 (22:57):
It allows the attackers to write arbitrary files as system authority.
Speaker 2 (23:01):
Right right, and then your signs too, could be used
in a botnet todd us somebody else on the internet,
and they probably already are problem one. This is a
This is a big problem because most people have been
trained to patch their systems and their phones, but the
whole IoT world and device world, refrigerators, thermostats, that stuff
(23:23):
almost never gets looked at. Again.
Speaker 3 (23:24):
Yeah, and you need a plan for that if you're
gonna if you're gonna have twenty plus they say that.
I heard a stat today. Twenty one is the average
number of smart devices in the averager whos home. And
that's twenty one devices that are not getting patched.
Speaker 2 (23:38):
All right, I'm checking. I'm checking my house right now.
I can tell you I am running probably more than
we am running, a lot more than twenty one I
have forty eight devices online right now, so.
Speaker 1 (23:48):
I'm checking your house too, forty two.
Speaker 3 (23:52):
If you can. If you can check how many that way,
you can probably patch them all.
Speaker 2 (23:56):
Yeah, you should.
Speaker 1 (23:58):
Offer a challenge to the to the the guys and
the discord server. If you can tell me how many
devices I'm running in my home, then you can come
and work for us.
Speaker 2 (24:09):
Right there you go. No, we learned a long time
ago not to provoke hackers.
Speaker 1 (24:19):
All right, all right, my favorite company, Fortinet, is back
in the news.
Speaker 3 (24:25):
They we used to use their piet firewalls and we did. Yeah, yeah,
until we didn't, so they started making the news every episode.
Speaker 1 (24:35):
So this is an exploit in forty voice systems. All
of their products start with fourty f O r T
I yep, so forty forty voice systems. So it's a
zero day r C flow. What happened here?
Speaker 2 (24:48):
So this this issue is very similar to what we
were just talking about with Ubiquity, Right. So Fortinet has
the same sort of ecosystem where they have a you know,
mail routers and servers, and they have voice recorders and
they have all sorts of you know, camera servers that
sort of stuff. So they have devices for all of these.
(25:09):
And here again this is also oddly a stack based overflow,
very similar to what was happening on the Ubiquity camera systems.
And this, you're absolutely right, is an exploit for Ford
to Voice, Ford to Mail, Florida, NDR, FORDA recorder, and
forty camera. So if you're running any of those particular devices,
(25:30):
there's a remote, unauthenticated attacker path to execute arbitrary code
by an AHB request.
Speaker 1 (25:38):
So do we have to throw it in the ford
A trash bin.
Speaker 2 (25:41):
Or forty get it?
Speaker 3 (25:44):
You could, but it's it's down for patching.
Speaker 2 (25:47):
Yeah, okay, I'm sorry. Yeah, So you absolutely are gonna
want to go out and patch this one. What's interesting
about this, Like the Ubiquity one we talked about listen,
that's if you have access to the manment network, and
if implemented properly, there's no way you get access to
that management network in this particular one. There's no sort
(26:09):
of designation as to how you would have access to this.
So my guess is as long as you can get
to the HTP interface on any of those devices, you're
probably susceptible.
Speaker 3 (26:20):
My bet is this is a chassis that they run
everything on. And what's interesting is it's not the Fortinet firewall, right,
and we really haven't seen the Fortinet firewall in a
lot of these news items. So you know, Fortinet to
me is not known for voice systems or mail systems
or recorder or camera. That's not what they were known for.
(26:43):
So you got to be careful when companies branch out
into other areas.
Speaker 1 (26:48):
Yep, yes, yes, yes, I could say something evil, but
I'm not going to. But you're right, you just have
to be careful.
Speaker 3 (26:57):
Not yet, I'm sure you'll say something evil eventually.
Speaker 1 (27:00):
Well, yeah, after we record. All right, So China is
in the news again. Who knew China based hack targets
UK companies in critical national security threat? So last week
we talked about MNS and Herod's and so unlike those attacks,
(27:23):
this incident was not ransomware but rather remote code execution.
Speaker 2 (27:32):
Yeah, this is this is tough. Really, the UK can't
and they've from they've been I know, right.
Speaker 3 (27:37):
They can't catch a break. Well, they did get a
trade trade deal with US.
Speaker 1 (27:41):
Yeah, but we can't send them our tainted meat. They
don't want it. They don't want chlorinated hormone laden with them.
Speaker 3 (27:53):
That American tainted meat was great American taint.
Speaker 2 (27:59):
So this is this was this is a family show,
I thought after that iPhone mute story, maybe not, but
so so this one has seems to do with the
SAP NetWeaver product, and NetWeaver was in the news this week.
(28:20):
Let me see if I can do.
Speaker 3 (28:22):
It's a patched it is a patched problem.
Speaker 2 (28:25):
So yeah, same, yep, absolutely so it is a patch problem.
But the problem is, I mean, every once in a
while somebody is going to find an exploit and it's
not patched. And this is where good architecture and networking
making sure end points that don't need to be accessible
on the Internet are not. We talked about this with
the Ubiquity making sure that those the management plane is
(28:46):
not accessible to the general users on a wireless for example.
So yeah, absolutely, Patrick, I agree with you. Patch always
automatically if you can, but if you can't, good architecture
can save you if you do things right. So, for example,
if the SAP net weaver interface doesn't need to be
accessible to the gen Gen pop, if you will, then
(29:06):
you know, maybe you locked that down.
Speaker 3 (29:08):
Several companies were actually hit by this, including k Dent
News UK euro garages and are are I can't say
that ard ug metal. That sounds like you say just
as you're shot or story dais tant Danish?
Speaker 2 (29:31):
Now this was zero day vulnerability, by the way, so this,
you know, yeah, patching wouldn't have potentially helped you on this.
Speaker 3 (29:41):
That's a that's a valuable thing to spend at this time.
Oh absolutely, so I wonder what caused China to use that,
because you don't spend those lightly because once they're gone.
Now it's patched, right right right? Absolutely? Uh interesting.
Speaker 2 (29:57):
I'm sure we will hear more about this as we go.
Speaker 1 (29:59):
For Duyne. You're sure you don't have a house in
the UK.
Speaker 2 (30:02):
I don't know what you're talking about. I can't confirm
nor deny his own name.
Speaker 1 (30:06):
Yeah, exactly, all right, so we're done with this one, right.
Speaker 2 (30:09):
Yes we are, Yes, okay, catch patch.
Speaker 1 (30:12):
So now this has nothing to do with a.
Speaker 3 (30:14):
Patch only non patch story.
Speaker 1 (30:16):
The only start we actually have that doesn't have to
do with patching, but it does involve Siri, that Apple
assistant spying on people, and they know it did because
they're settling with a class action suit for ninety five
million dollars. And you too can submit your claims to
(30:37):
get your ninety dollars out of it.
Speaker 3 (30:39):
Nine hundred and fifty thousand people can get one hundred
dollars if approved.
Speaker 2 (30:47):
The settlement pays out a cap of twenty dollars per device.
Speaker 3 (30:51):
So you have to have five devices.
Speaker 2 (30:53):
You have to have five devices to get the even
to get the maximum, maybe to get twenty bucks.
Speaker 1 (30:57):
Yeah, and so I didn't read the details, But how
do you actually prove that you've been spied on unless
you have the copy that Siri recorded from you, and.
Speaker 3 (31:10):
You have to upload some nudes and then they'll compare them.
Speaker 2 (31:17):
Yep, that's you. Here's your twenty bus thank you very much.
Speaker 1 (31:20):
Intelligence is starting them out. I'm sure.
Speaker 2 (31:23):
Yeah, that's an interesting question, Carl, because when I was
reading through this, it definitely was said if you had
There was a portion of it that said, if you
had private conversations with sensitive data during this time frame
with a Syrian enabled device near you will pay you.
Speaker 1 (31:46):
How can you prove it?
Speaker 3 (31:47):
And I don't know how you prove that. I don't know.
I think you just apply the thing about these these
are go away settlements. This is like, you know what,
we're not stipulating, we're not admitting any fault, but we're
going to pay this, so you can just go away
and then but then it's over. No one can come
back later on and sue separately. So it basically is
(32:09):
just a way to say, for those ten years, no
one can complain about Siri again because we already paid
our ninety five million, right, right, So.
Speaker 1 (32:15):
Do you just say, yes, I was talking with blah
blah blah, and to make up a story and it
you know, I just don't understand.
Speaker 3 (32:23):
My bet is you have to make up a convincing
story to submit and they'll probably audit like point zero
one percent, and they'll maybe they'll prosecute you for fraud
if you're one of the liars. I don't know.
Speaker 2 (32:35):
Heard.
Speaker 3 (32:38):
I never really play. I've never played in this space
with the class action lawsuits. Just the money's not there.
Speaker 1 (32:46):
Yeah, Well, you.
Speaker 3 (32:47):
Know who makes a lot of money off of these
the lawyer who the law firm that does this, of course,
because there's probably one hundred and ninety million dollar claim.
It's just that one hundred million dollars? Is that as lawyers?
Speaker 2 (33:00):
Right? Yeah?
Speaker 1 (33:02):
I mean you get these remember letters that you get
in the mail that weren't junk mail like I get.
I used to get letters about class action lawsuits. Yeah,
and when you read the fine print, you know you
can submit your claim or whatever. But you read the
fine print, it's pennies.
Speaker 3 (33:16):
You get like twenty bucks.
Speaker 1 (33:18):
It's like why, But they're doing it just because they
they have to show that they're giving everybody the option
to collect, right, even though it's costing them more in
postage than anybody.
Speaker 2 (33:30):
Will actually core.
Speaker 1 (33:31):
Right, Yeah, right, yeah, that's ridiculous. Litigious society, ridiculous, ridiculous,
ridiculous and all that.
Speaker 3 (33:40):
It's almost an immunizing play for Apple now because now
that this lawsuits out, nobody can sue for that time period, right,
so you know the worst is over there. But now
for twenty twenty five, if you find that they're they've
got bugs material bugs in this space, that could be
another lossuit.
Speaker 2 (34:00):
I would love to read through this and figure out
how they found out. Was it like Carl Patrick and
I were during that time talking about nuking a small country,
and then I could add about nukes or something like
like how do you discover.
Speaker 1 (34:15):
Maybe you know I told you something unbelievably. You said,
are you serious? And I said yeah, I'm serious, And
then Siri started listening because.
Speaker 3 (34:24):
Part of this was them passing the recordings to third
party quality control contractors. So you know, you know the
old saying three people can keep a secret of two
of them are dead.
Speaker 2 (34:35):
And one of them is not a quality control contractor,
and you imagine being one of the QC guys for that. God,
I listened to so many private conversations every day.
Speaker 3 (34:44):
Exactly crazy whistle blower. Probably, if I had to guess,
it was probably a whistleblower.
Speaker 2 (34:49):
Oof.
Speaker 1 (34:52):
Well, next week, I'm going to be a build.
Speaker 2 (34:55):
I'm nice and sweet.
Speaker 1 (34:56):
I'm not sure. I think we can probably arrange the record.
I'm pretty sure we can, but just be aware that
everybody might be really crazy busy. Yep, so it might
be late. I don't know. We'll see find out on Discord.
Go to Discord dot security this week dot com join
the club. We'll see you out there.
Speaker 3 (35:16):
Bye bye, Thanks everybody.
Speaker 2 (35:18):
Bye,
Popular Podcasts
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.